01:31:42
|
*** Mkop has quit IRC
|
02:27:11
|
*** Mkop has joined #openmrs
|
02:27:11
|
*** ChanServ sets mode: +v Mkop
|
02:46:19
|
*** mseaton has joined #openmrs
|
02:46:19
|
*** ChanServ sets mode: +v mseaton
|
03:07:36
|
*** LVW has joined #openmrs
|
04:27:12
|
*** djazayeri has quit IRC
|
04:32:36
|
*** mseaton has left #openmrs
|
06:19:57
|
*** matthewl has joined #openmrs
|
06:21:44
|
<matthewl> Evening everyone
|
06:58:15
|
*** matthewl has left #openmrs
|
09:16:18
|
*** lh has quit IRC
|
09:26:09
|
*** dkayiwa has joined #openmrs
|
09:30:31
|
*** Mkop1 has joined #openmrs
|
09:30:31
|
*** ChanServ sets mode: +v Mkop1
|
09:30:52
|
*** Mkop has quit IRC
|
10:48:14
|
*** dkayiwa has quit IRC
|
10:49:32
|
*** rafa has joined #openmrs
|
10:49:32
|
*** ChanServ sets mode: +v rafa
|
10:56:45
|
*** rafa has quit IRC
|
11:08:16
|
*** yony258 has joined #openmrs
|
11:09:02
|
<yony258> Hi, how come the demonstration DB doesn't have any visit types but still have visits? (I thought that visitType can't be null)
|
13:07:59
|
*** Dilan has joined #openmrs
|
13:16:34
|
<Dilan> hi
|
13:19:22
|
*** mseaton has joined #openmrs
|
13:19:22
|
*** ChanServ sets mode: +v mseaton
|
13:19:32
|
*** mseaton has left #openmrs
|
13:22:43
|
*** Dilan has quit IRC
|
13:23:28
|
*** dilangamachchige has joined #openmrs
|
13:29:49
|
*** ss_ has joined #openmrs
|
13:31:50
|
<ss_> why
|
13:36:17
|
*** ss_ has quit IRC
|
13:56:13
|
*** mseaton has joined #openmrs
|
13:56:13
|
*** ChanServ sets mode: +v mseaton
|
13:56:23
|
*** mseaton has left #openmrs
|
14:05:54
|
*** Mkop1 has quit IRC
|
14:06:01
|
*** Mkop has joined #openmrs
|
14:06:01
|
*** ChanServ sets mode: +v Mkop
|
14:12:57
|
*** dilangamachchige has quit IRC
|
14:19:37
|
*** yony258 has quit IRC
|
14:58:58
|
*** LVW has quit IRC
|
15:47:01
|
*** k-joseph has joined #openmrs
|
15:48:56
|
*** rafa has joined #openmrs
|
15:48:56
|
*** ChanServ sets mode: +v rafa
|
15:56:30
|
*** dkayiwa has joined #openmrs
|
15:57:25
|
<k-joseph> dkayiwa: hi
|
15:57:30
|
<dkayiwa> k-joseph: hi
|
16:00:27
|
*** dkayiwa has quit IRC
|
16:07:54
|
*** robbyoconnor has quit IRC
|
16:08:11
|
*** rafa has quit IRC
|
16:08:24
|
*** robbyoconnor has joined #openmrs
|
16:08:24
|
*** ChanServ sets mode: +v robbyoconnor
|
16:40:41
|
*** k-joseph_ has joined #openmrs
|
16:41:02
|
<k-joseph_> \nick k-joseph
|
16:41:29
|
*** k-joseph has quit IRC
|
16:41:50
|
*** k-joseph_ is now known as k-joseph
|
16:44:38
|
*** dkayiwa has joined #openmrs
|
16:48:10
|
<k-joseph> dkayiwa: i think i have gotten something from the resource you recommended me to, am through with it and am looking forwad to resume, thanks alot
|
16:48:30
|
<dkayiwa> k-joseph: ok great
|
16:48:55
|
<dkayiwa> k-joseph: can you rewrite the other unit test and pastebin it to me?
|
16:50:44
|
<k-joseph> dkayiwa: please remind of what am to concider for that unit test!
|
16:51:20
|
<dkayiwa> k-joseph: combine the knowledget you have learnt from the document and the ticket required info
|
16:51:29
|
<dkayiwa> k-joseph: then send me what you think
|
16:52:01
|
<k-joseph> dkayiwa: ok
|
16:55:09
|
*** k-joseph_ has joined #openmrs
|
16:58:38
|
*** k-joseph has quit IRC
|
16:59:38
|
*** k-joseph_ has quit IRC
|
17:02:04
|
*** k-joseph_ has joined #openmrs
|
17:02:39
|
<k-joseph_> \nick k-joseph
|
17:02:49
|
*** k-joseph_ is now known as k-joseph
|
17:11:10
|
<k-joseph> dkayiwa: hi
|
17:11:20
|
<dkayiwa> k-joseph: hi
|
17:11:29
|
<k-joseph> dkayiwa: while focussing on the description of this ticket TRUNK-3751, i realise, i dont get the warning described, and in your comment you have this as first thing to be worked upon, then write a test for it, i know the test can be written first but am still not well versed with what am testing, may be i need further further enlightment,i will be glad to recieve your further assistance, thanks
|
17:12:31
|
<dkayiwa> k-joseph: the unit test can be there to prove that what is reported is not actually happening
|
17:12:42
|
<dkayiwa> k-joseph: by the unit test passing
|
17:13:17
|
<dkayiwa> k-joseph: so the test should be to test for the reported problem. if the unit test passes, then it means the problem was fixed
|
17:13:26
|
<dkayiwa> k-joseph: have i confused you even more?
|
17:15:44
|
*** k-joseph has quit IRC
|
17:19:56
|
*** k-joseph has joined #openmrs
|
17:20:43
|
<k-joseph> dkayiwa: hi
|
17:20:51
|
<dkayiwa> k-joseph: hi
|
17:23:55
|
<dkayiwa> dkayiwa: k-joseph: the unit test can be there to prove that what is reported is not actually happening
|
17:23:55
|
<dkayiwa> [8:45pm] dkayiwa: k-joseph: by the unit test passing
|
17:23:56
|
<dkayiwa> [8:46pm] dkayiwa: k-joseph: so the test should be to test for the reported problem. if the unit test passes, then it means the problem was fixed
|
17:23:56
|
<dkayiwa> [8:46pm] dkayiwa: k-joseph: have i confused you even more?
|
17:28:18
|
<dkayiwa> k-joseph: are you there?
|
17:28:30
|
<k-joseph> dkayiwa: yes,
|
17:28:41
|
<dkayiwa> k-joseph: why not respond to me?
|
17:28:44
|
<k-joseph> dkayiwa: not confusing
|
17:29:00
|
<dkayiwa> k-joseph: and why didn't you respond already?
|
17:29:36
|
<k-joseph> dkayiwa: ssorry, was much taken up by what you mearnt
|
18:22:03
|
*** rafa has joined #openmrs
|
18:22:03
|
*** ChanServ sets mode: +v rafa
|
18:25:09
|
*** Mkop has quit IRC
|
18:26:54
|
*** rafa has quit IRC
|
19:02:23
|
<k-joseph> dkayiwa: i have gone ahead and done what i have thought out for this testcase, i really need your extended assistance as far as this is concerned, my test case is failing the test
|
19:02:54
|
<k-joseph> dkayiwa: paste at http://pastebin.com/ujdpE8K8
|
19:02:58
|
*** Mkop has joined #openmrs
|
19:02:58
|
*** ChanServ sets mode: +v Mkop
|
19:09:32
|
*** LVW has joined #openmrs
|
19:20:43
|
*** dkayiwa has quit IRC
|
19:28:27
|
*** k-joseph has quit IRC
|
19:43:24
|
*** djazayeri has joined #openmrs
|
19:43:24
|
*** ChanServ sets mode: +o djazayeri
|
19:45:44
|
*** k-joseph has joined #openmrs
|
19:51:02
|
*** k-joseph has quit IRC
|
19:54:34
|
*** k-joseph has joined #openmrs
|
20:10:02
|
*** k-joseph has quit IRC
|
20:17:03
|
<OpenMRSBot> Recent updates in the world of openmrs: OpenMRS Modules: Address Hierarchy 2.2.8 uploaded to OpenMRS Module Repository <https://modules.openmrs.org/modules/view.jsp?module=addresshierarchy&version=&2.2.8> || OpenMRS Modules: HTML Form Entry 2.0.3 uploaded to OpenMRS Module Repository <https://modules.openmrs.org/modules/view.jsp?module=htmlformentry&version=&2.0.3>
|
21:34:51
|
*** djazayeri has quit IRC
|
21:43:00
|
*** zorlak has joined #openmrs
|
21:47:49
|
*** LVW has quit IRC
|
22:01:35
|
*** djazayeri1 has joined #openmrs
|
22:01:36
|
*** ChanServ sets mode: +o djazayeri1
|
22:02:29
|
*** tobin_g has joined #openmrs
|
22:03:25
|
<djazayeri1> Hi all, I'm on my phone for the next 20m so will be a slow typist
|
22:03:56
|
<djazayeri1> But happy to help the hack a thon
|
22:12:14
|
*** alden has joined #openmrs
|
22:12:16
|
<alden> hello
|
22:13:24
|
<djazayeri1> Hi
|
22:22:29
|
*** LVW has joined #openmrs
|
22:51:40
|
*** djazayeri has joined #openmrs
|
22:51:40
|
*** ChanServ sets mode: +o djazayeri
|
22:52:30
|
<djazayeri> Hi all, I'm at a physical keyboard now. Happy to answer any OpenMRS-related questions.
|
22:52:32
|
*** djazayeri1 has quit IRC
|
22:54:34
|
<Adian> Hello
|
22:54:41
|
<djazayeri> Hi
|
22:54:53
|
<Adian> We're mostly settled in here for some hacking
|
22:55:19
|
<Adian> so far we have lots of XSS, which I think you guys expected
|
22:56:05
|
<djazayeri> Yes indeed.
|
23:04:11
|
<djazayeri> Stepping away from the computer for a bit, but if anyone has questions, just mention my name. I have the volume turned up. :-)
|
23:05:18
|
*** kevin has joined #openmrs
|
23:11:34
|
*** matthewl has joined #openmrs
|
23:11:47
|
*** tobin_g has quit IRC
|
23:12:24
|
<Adian> no problem
|
23:16:44
|
*** alden has quit IRC
|
23:24:19
|
*** matthewl has left #openmrs
|
23:26:39
|
*** upul has joined #openmrs
|
23:26:39
|
*** ChanServ sets mode: +v upul
|
23:29:54
|
<zorlak> I'm analyzing source code with Findbugs. It's taking up a lot of resources so still waiting to hit the WebUI.
|
23:34:29
|
*** matthewl has joined #openmrs
|
23:34:42
|
<matthewl> Any OWASP folks in the room?
|
23:37:21
|
<djazayeri> matthewl: Adian is OWASP
|
23:37:22
|
<Adian> I'm here
|
23:37:56
|
<matthewl> Cool. Greetings
|
23:38:05
|
<Adian> howdy
|
23:39:09
|
<Adian> seems like there might be a potential for second-order SQLi in ConceptValidatorChangeSet.isNameUniqueInLocale
|
23:39:41
|
<Adian> and perhaps other places in that class. using hibernate's escapeSqlWildcards almost certainly only escapes wildcards
|
23:40:38
|
<Adian> not sure how likely it is that concept names could be malicious...
|
23:40:48
|
<Adian> previously stored ones, taht is
|
23:41:40
|
<Adian> djazayeri?
|
23:42:58
|
<djazayeri> Concepts are administrator-created. (Though administrator isn't necessarily superuser.)
|
23:43:20
|
<djazayeri> so it would be a low-priority, if an issue
|
23:43:30
|
<Adian> ok, so you'd have to have a lot of privs. makes sense
|
23:43:50
|
<Adian> easy to fix though, so i'll leave it as a non-vuln note
|
23:44:25
|
<djazayeri> Adian: and that method is only called the first time you upgrade from pre-1.7 to 1.7 (I think), so it's even lower-priority.
|
23:44:39
|
<djazayeri> Adian: so yeah, include it in notes!
|
23:47:16
|
<Adian> ok, good to know. that's the kind of stuff I could waste an hour figuring out (the fact that it is only used in a one-time upgrade, rather than every upgrade)
|
23:47:40
|
<Adian> besides the XSS, I've also observed some issues with session management
|
23:48:10
|
<Adian> tomcat likes to put the session ID in the url upon first assignment, which opens up possibilities for leaks (namely, referer header)
|
23:48:22
|
<Adian> that's something you j ust have to manually tell tomcat not to do
|
23:48:30
|
<matthewl> It also looks like the session ID does not get changed on login, rather log-off
|
23:48:35
|
<Adian> then perhaps more worrisome is session fixation
|
23:48:37
|
<Adian> yup, exactxly
|
23:48:54
|
<Adian> session fixation is a MitM-able condition
|
23:50:32
|
<matthewl> Running short on time, have to get back to studying, but I noticed what looks like a redirect issue. There is a redirect & refererURL parameters that get send when logging in. Anyone looked at that yet?
|
23:51:29
|
<Adian> I have not
|
23:51:41
|
<Adian> would be good to know if they allow redirect to arbitrary sites
|
23:52:20
|
<matthewl> My thoughts exactly. I'm going to poke at it for another 20-30 min then I'll have to finish my homework
|
23:52:44
|
*** mseaton has joined #openmrs
|
23:52:44
|
*** ChanServ sets mode: +v mseaton
|
23:54:43
|
<Adian> no prob. just be sure to submit any bug reports by 6p
|
23:54:52
|
<Adian> just email them to me
|
23:55:26
|
<matthewl> Cool.
|
23:57:40
|
*** mseaton has quit IRC
|